mirrors/dnscrypt-proxy
1
0
Fork 0
mirror of https://github.com/DNSCrypt/dnscrypt-proxy.git synced 2025-03-04 02:14:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

ESNI -> ECHO

Frank Denis 2020-04-24 11:51:29 +02:00
parent d955dbf020
commit 71ef9c7cd9
1 changed files with 5 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
Local-DoH.md

@ -1,8 +1,8 @@
# Built-in DoH server / Firefox ESNI
# Built-in DoH server / Firefox ESNI (ECHO)
In addition to responding to standard DNS queries, `dnscrypt-proxy` can also act as a DoH server, and respond to local queries sent over that protocol.
In particular, this means that Firefox can be configured to use it, so that it will accept to enable ESNI without bypassing your DNS proxy.
In particular, this means that Firefox can be configured to use it, so that it will accept to enable ESNI without bypassing your DNS proxy.
In order to enable this, the first thing you need is a certificate. Since this is just for local usage, you can use [that example one](https://raw.githubusercontent.com/DNSCrypt/dnscrypt-proxy/master/dnscrypt-proxy/localhost.pem) or create your own with:
@ -40,16 +40,16 @@ cert_key_file = "privkey.pem"
## How to enable ESNI in Firefox
Firefox and Cloudflare are currently running an experiment called ESNI. ESNI (that may eventually be renamed to "Encrypted Hello") is a TLS extension to hide the server name in TLS (including HTTPS) connections.
Firefox and Cloudflare are currently running an experiment called ESNI. ESNI is the old name of ECHO, a TLS extension to hide the server name in TLS (including HTTPS) connections.
While this may eventually be a significant privacy improvement, it current has some caveats to be aware of:
- ESNI is a very early a work-in-progress design and has not yet seen significant (or really any) security analysis.
- It is a work-in-progress design and has not yet seen significant (or really any) security analysis.
- It hasn't been deployed anywhere, besides an early prototype implemented in Firefox and on Cloudflare servers. Even when using Firefox, ESNI will never be used except when connecting to some websites from Cloudflare customers.
- What has been deployed is still missing an important part to protect against censorship (`GREASE`)
- Enabling ESNI will trigger an extra DNS query for every single new hostname, even for hosts that don't support ESNI. Every time a query for a host that doesn't support is made, an error will be returned (`NXDOMAIN`).
- Enabling ESNI in Firefox breaks some websites ("Secure connection failed - `SSL_ERROR_NO_CYPHER_OVERLAP`" or "[SSL_ERROR_MISSING_ESNI_EXTENSION](https://www.google.com/search?q=%22SSL_ERROR_MISSING_ESNI_EXTENSION%22)").
- Keep in mind that ESNI doesn't exist yet. What is available is only an experiment run by two companies.
- Keep in mind that ECHO doesn't exist yet. What is available is only an experiment run by two companies.
Firefox has a setting to enable ESNI, but for some reason, the web browser ignores it unless it was also configured to bypass your DNS settings.